This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Energy Department Breach Years In Making, Investigators Say

July data breach that affected up to 150,000 employees traces back to a string of managerial and technical failures, investigators conclude.

13 CIOs Share: My Big Mistakes

(click image for larger view)

The July 2013 Department of Energy breach happened because of an ongoing number of managerial and technological failures, some of them stretching back years.

That's the top-level takeaway from a 28-page report, released Wednesday, by Gregory H. Friedman, the inspector general (IG) of the Department of Energy. The IG's report is a result of an investigation that was launched, in part at the request of the DOE's CIO, after an attacker hacked into the DOE Employee Data Repository (aka DOEInfo), which is accessed via a gateway provided by the agency's management information system (MIS).

The list of failures cataloged by the report is extensive, starting with a "lack of urgency" over information security matters. "While we did not identify a single point of failure that led to the MIS/DOEInfo breach, the combination of the technical and managerial problems we observed set the stage for individuals with malicious intent to access the system with what appeared to be relative ease," said Friedman. The attacker exploited a DOEInfo vulnerability for which attack code was publicly available on the Internet.

The data breach may also be more extensive than realized. According to previous DOE disclosures, attackers stole personally identifiable information (PII) for 104,000 people. But according to Friedman, the number may be closer to 150,000, based on a number of additional nine-digit records -- which may be social security numbers -- that the IG's office found in digital forensic data. DOE officials have responded to that finding by saying that they believe at least some of the discrepancy may be due to "false positives."

Furthermore, the report revealed that stolen information didn't only comprise names, dates of birth, social security numbers, and some bank account numbers, as the DOE previously disclosed. Information pertaining to places of birth, education, security questions -- and answers -- and disabilities was also exposed.

The hack was the third MIS breach to occur within three years. The breach occurred after an attacker gained access to DOEInfo, which was an outdated Adobe ColdFusion system that's been rebuilt since the attack. DOEInfo first launched in 1994, and more than 30 different systems were connected to the database at some point in time. But according to the IG's report, DOE management failed to keep abreast of how the database was being used, or seemingly the agency's enterprise architecture in general. That's because at least two disused systems were still connected to DOEInfo. During the July 2013 breach, the attacker accessed one of those systems, although it reportedly didn't store sensitive data.

Other problems that contributed to the breach involved the agency failing to encrypt stored PII and using social security numbers as unique identifiers, in violation of federal guidelines. Friedman's report also slammed the agency for "permitting direct Internet connections to a highly sensitive system without adequate security controls," noting that the security controls in place for checking email were stronger than the controls in place to secure access to DOEInfo.

Department of Energy headquarters in Washington, DC. (Image by cliff1066.)

The report also found that the DOE failed to patch, improve, or upgrade systems "even though they were known to have critical and/or high-risk security vulnerabilities." Likewise, the agency appeared to lack plans for replacing systems that had reached the end of their life. "Although core support for the version of the compromised application upon which MIS was built ended in July 2012, the department did not purchase updated software until March 2013 -- eight months after support for the outdated application ended," Friedman said.

On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities. Managers interviewed by the IG's office acknowledged that even though DOEInfo sported known, high-risk vulnerabilities in systems, "they lacked the authority to impose restrictions on system operation or take other corrective measures when known security vulnerabilities were not addressed," Friedman said. "We could not determine with certainty whether the lack of authority, in all instances, was real or only perceived."

Regardless, senior managers failed to take charge of security matters. "OCIO officials told us that various system owners they supported prohibited them from making security updates to applications in a timely manner because doing so would make it harder for employees to do their work," said Friedman. "Conversely, program officials indicated that they directed security-related issues to the OCIO and never received responses."

An application developer had reported the DOEInfo system vulnerabilities to the CIO's office. But they "were not fully investigated," Friedman said, leading him to "question the thoroughness of department's analysis of the reported anomalies."

To date, the costs of the DOEInfo breach have included $1.6 million for credit monitoring and an estimated $2.1 million in lost productivity, owing to the agency granting affected personnel up to four hours of paid leave. According to DOE insiders, as well as the IG's report, the breach -- and the perception that related data breach notifications weren't released in a timely manner -- also took a bite out of employee morale.

The IG's report makes a number of cybersecurity program and control environment suggestions to prevent a future breach, aimed at improving communications and coordination and ensuring that all PII gets stored and used securely. Related changes have begun, including eliminating outdated information from being stored and encrypting all social security numbers. In addition, the CIO's office is implementing "improvements to the real-time protection and continuous monitoring of DOEInfo and the underlying infrastructure," Friedman said.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The use of cloud technology is booming, often offering the only way to meet customers', employees' and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we put the risk in context and offer recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

That's a great point, Wyatt. Kudos to the current DOE management -- including the CIO -- for not only calling for an investigation but also publishing the results of the related inquiry, as well as apparently getting needed fixes in place, finally.

Part of the reason this breach occured is because past generations of DOE upper management allowed it to happen. They authorized the continued development of new applications that hooked into the outdated/insecure/Internet-accessible/unsuitable Adobe ColdFusion DOEInfo database. Fast-forward some years, and you have a breach waiting to happen.

Current DOE management inherited a mess. Should they have fixed it faster? That's open to debate. Regardless, credit where due: "From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence," Alan Paller, director of research at the SANS Institute, told me earlier this year. (It's notable, of course, that this breach involved HQ, rather than one of the DOE's contract organizations. Meaning that it can't hide behind "business independence," because it's in charge and should be setting a standard that it expects everyone else to emulate.)

With luck, DOE's experience will spur other agencies to do what they should be doing: nuking outdated systems, replacing legacy integrations with modern connectors, eliminating outdated data stores, inventorying all enterprise applications (so they know what to secure) and documenting the name of the person inside the agency whose head will role if a given application isn't kept updated/secure. For starters.

This is something else. I hope that managers read this and see it as a wake-up call because it is evident that these types of breaches can cost an organization a lot of money. Maybe someone will learn from these mistakes and that in turn will prevent some sort of future breach which could have affected countless lives in terms of potential indentity theft risks.

This report is a certainly a cautionary tale about what happens when managers ignore advice and/or choose to underinvest.

But this report is also remarkable for another reason. It's something that you'll rarely see in the private sector. In fact, government agencies deserve more credit than they get for 1) maintaining inspectors on staff to investigate operating problems; and 2) for releasing the messy findings when they occur, as DOE's inspector general has -- and other agency inspectors general do on a regular basis.

It's not a lot of consolation for those whose private information was compromised. But take a moment to ponder: You don't see a report like this explaining why an Amazon's regional cloud center went down or when a credit card processing company gets hacked.

Now lets hope DOE and other federal agencies learn from their mistakes.

"On the subject of information security responsibility, confusion reigned, with the Office of the Chief Information Officer (OCIO) and the Office of the Chief Financial Officer (OCFO) -- which maintained DOEInfo -- each believing that the other department was in charge of patching system vulnerabilities." That makes me squirm just thinking about it. But IT pros see this time and again -- complete failure to communicate.